From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <cygwin-return-215055-listarch-cygwin=sourceware.org@cygwin.com>
Received: (qmail 72109 invoked by alias); 25 Jan 2019 04:42:34 -0000
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Received: (qmail 72097 invoked by uid 89); 25 Jan 2019 04:42:34 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy=H*UA:YahooMailBasic, H*x:YahooMailBasic, H*x:1.1.13027, H*UA:1.1.13027
X-HELO: sonic308-4.consmr.mail.bf2.yahoo.com
Received: from sonic308-4.consmr.mail.bf2.yahoo.com (HELO sonic308-4.consmr.mail.bf2.yahoo.com) (74.6.130.43) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 25 Jan 2019 04:42:33 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1548391351; bh=Nd/CE4q9ZfjJSwkE5E7XTChmO18OpsdB5YlGuDlkiNQ=; h=Date:From:Reply-To:To:Subject:References:From:Subject; b=le6xo+AEFBWlSAWKDcF05yce/l4YjEq6uKVFkSxP+CrlDaz308YqgyMmho+fmzptlc22Tb/m8H6G7gh6Lak5JYQ/HyrXXvUR602UWmBOrg9t6qmHpTmws0w6jkwgjcMFdxsRdzrlUg5bw+D8cpU7BndgyCtl9RNnkZtETR3ssYIIsqt/lA2jK/q0pPq82R8yVaBTI1aqsXUT5lBlwT/dnIKASWXIEvQkQWqdJnWUh9+AEdnp+wESPS/etavpp+XLeMJ3VijttmtPPxGR4NA0KgcADSAbI3GX8N3kB4mC3ujnLeakP/RzrOsQzwg2AubypxIgpP/QeDULI3Gme+F6HQ==
Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.bf2.yahoo.com with HTTP; Fri, 25 Jan 2019 04:42:31 +0000
Date: Fri, 25 Jan 2019 04:42:00 -0000
From: "matthew patton via cygwin" <cygwin@cygwin.com>
Reply-To: matthew patton <pattonme@yahoo.com>
Reply-To: matthew patton <pattonme@yahoo.com>
To:  <cygwin@cygwin.com>
Message-ID: <1690850474.834980.1548391349102@mail.yahoo.com>
Subject: Re: sshd permits logon using disabled user?
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
References: <1690850474.834980.1548391349102.ref@mail.yahoo.com>
X-IsSubscribed: yes
X-SW-Source: 2019-01/txt/msg00221.txt.bz2

 > I think refusing an account manually and deliberately disabled by an
 > admin makes lots of sense.

Why is this even a discussion? You *ALWAYS* refuse a login to an account that is disabled, locked out, or has an expired password or failed any of the other criteria that might be in effect (day/time restrictions, source IP restrictions, etc.)

Is someone suggesting that the Windows authentication API is actually returning a success code despite any of these conditions?

Furthermore you also *NEVER* hint to the user why the login was denied. It's rule #1 of security engineering.
Denied is denied. Explanations or hints are verboten.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple